oss-sec mailing list archives
Re: Out-of-bounds read & write in the glibc's qsort()
From: Qualys Security Advisory <qsa () qualys com>
Date: Mon, 5 Feb 2024 15:56:41 +0000
Hi Solar, all, On Sun, Feb 04, 2024 at 05:35:20PM +0100, Solar Designer wrote:
It's so invasive I cannot easily tell whether qsort() remained robust after it or not. There's no longer a "tmp_ptr != base_ptr &&" check. So, lacking known-working tests in glibc tree, we don't know about glibc 2.39's status with respect to this issue.
The "tmp_ptr != base_ptr" bounds check was originally added to the _quicksort() function, but is not needed anymore in glibc 2.39 because the old fallback to quick sort (the _quicksort() function) has been completely removed and replaced by a fallback to heap sort. Note, just in case: we have not reviewed the implementation of this new fallback to heap sort.
Great findings and excellent quality write-up from Qualys, as usual.
Thank you very much for your kind words! With best regards, -- the Qualys Security Advisory team
Current thread:
- Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Jan 30)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Adhemerval Zanella Netto (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)